Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT-PO#45678.exe

Overview

General Information

Sample Name:PAYMENT-PO#45678.exe
Analysis ID:433324
MD5:438425f009b373154e4e3629c3539581
SHA1:5f686134a72fe1260d504dedc88d8500c4f0c1f6
SHA256:b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PAYMENT-PO#45678.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\PAYMENT-PO#45678.exe' MD5: 438425F009B373154E4E3629C3539581)
    • PAYMENT-PO#45678.exe (PID: 6688 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe MD5: 438425F009B373154E4E3629C3539581)
    • PAYMENT-PO#45678.exe (PID: 6736 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe MD5: 438425F009B373154E4E3629C3539581)
      • schtasks.exe (PID: 6788 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6844 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT-PO#45678.exe (PID: 6920 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe 0 MD5: 438425F009B373154E4E3629C3539581)
    • PAYMENT-PO#45678.exe (PID: 7020 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe MD5: 438425F009B373154E4E3629C3539581)
  • dhcpmon.exe (PID: 6968 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 438425F009B373154E4E3629C3539581)
    • dhcpmon.exe (PID: 7040 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 438425F009B373154E4E3629C3539581)
  • dhcpmon.exe (PID: 4952 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 438425F009B373154E4E3629C3539581)
    • dhcpmon.exe (PID: 6340 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 438425F009B373154E4E3629C3539581)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fa01d1ff-8193-42b2-a0e1-b0e6c90b", "Group": "PO-#9874567", "Domain1": "doc-file.ddns.net", "Domain2": "127.0.0.1", "Port": 7755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x9c12d:$x1: NanoCore.ClientPluginHost
    • 0x9c16a:$x2: IClientNetworkHost
    • 0x9fc9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 108 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        13.2.dhcpmon.exe.2c9cd34.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        Click to see the 223 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fa01d1ff-8193-42b2-a0e1-b0e6c90b", "Group": "PO-#9874567", "Domain1": "doc-file.ddns.net", "Domain2": "127.0.0.1", "Port": 7755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
        Multi AV Scanner detection for submitted fileShow sources
        Source: PAYMENT-PO#45678.exeReversingLabs: Detection: 41%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: PAYMENT-PO#45678.exeJoe Sandbox ML: detected
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: 11.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: PAYMENT-PO#45678.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: PAYMENT-PO#45678.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: PAYMENT-PO#45678.exe, 00000000.00000002.206021714.0000000003271000.00000004.00000001.sdmp, PAYMENT-PO#45678.exe, 00000008.00000002.222478275.0000000002AA1000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.231089232.0000000005700000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.245812912.0000000004C20000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: doc-file.ddns.net
        Source: Malware configuration extractorURLs: 127.0.0.1
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: doc-file.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49718 -> 194.5.97.7:7755
        Source: Joe Sandbox ViewIP Address: 194.5.97.7 194.5.97.7
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownDNS traffic detected: queries for: doc-file.ddns.net
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.205351135.0000000001670000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.256103684.0000000002CA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.2c9cd34.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.33995b4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.2a19658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.5440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.2e330f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.2cd9658.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        .NET source code contains very large stringsShow sources
        Source: PAYMENT-PO#45678.exe, SpanFill2d.csLong String: Length: 601976
        Source: 0.2.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 0.0.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 1.2.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 1.0.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: dhcpmon.exe.3.dr, SpanFill2d.csLong String: Length: 601976
        Source: 3.2.PAYMENT-PO#45678.exe.7d0000.1.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.2.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.4.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 8.2.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 8.0.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014BD5200_2_014BD520
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B64C80_2_014B64C8
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B64BB0_2_014B64BB
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B67580_2_014B6758
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B49A00_2_014B49A0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_010CE4713_2_010CE471
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_010CE4803_2_010CE480
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_010CBBD43_2_010CBBD4
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B65503_2_052B6550
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B3E303_2_052B3E30
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BC6F03_2_052BC6F0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BD3083_2_052BD308
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B4A503_2_052B4A50
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BD6403_2_052BD640
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B4B083_2_052B4B08
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BD3C63_2_052BD3C6
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_067100403_2_06710040
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FFD5208_2_00FFD520
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF64C88_2_00FF64C8
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF64BB8_2_00FF64BB
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF67588_2_00FF6758
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF49A08_2_00FF49A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015ED5209_2_015ED520
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E64C89_2_015E64C8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E64BB9_2_015E64BB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E67589_2_015E6758
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E49A09_2_015E49A0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 10_2_032AE47110_2_032AE471
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 10_2_032AE48010_2_032AE480
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 10_2_032ABBD410_2_032ABBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0105E47111_2_0105E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0105E48011_2_0105E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0105BBD411_2_0105BBD4
        Source: PAYMENT-PO#45678.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.204601830.0000000000E6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.206021714.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.209367905.00000000057A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.205351135.0000000001670000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.209265990.0000000005700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000001.00000002.201879123.000000000019E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000000.203046703.00000000008FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.472895693.0000000005280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473431312.00000000061A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467181725.00000000010DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.227792273.0000000004E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.221497733.000000000069E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.222478275.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000000.220823699.0000000000F0E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240079437.000000000159A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.242207166.00000000058D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exeBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.256103684.0000000002CA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.2c9cd34.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.2c9cd34.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT-PO#45678.exe.33995b4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.33995b4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.3294584.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.3285750.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.32845cc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.2a19658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.2a19658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.27045b8.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.2ac4598.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.3275798.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.PAYMENT-PO#45678.exe.5440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.2e330f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.2e330f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.2cd9658.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.2cd9658.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.2aa602c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.3276018.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.2ab5764.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.26f5784.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.3266060.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.26e604c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: PAYMENT-PO#45678.exe, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 0.2.PAYMENT-PO#45678.exe.d40000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 0.0.PAYMENT-PO#45678.exe.d40000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 1.2.PAYMENT-PO#45678.exe.70000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 1.0.PAYMENT-PO#45678.exe.70000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: dhcpmon.exe.3.dr, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: PAYMENT-PO#45678.exe, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 0.2.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 0.0.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 1.2.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 1.0.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: dhcpmon.exe.3.dr, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.2.PAYMENT-PO#45678.exe.7d0000.1.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.2.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.4.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 8.2.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 8.0.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@20/8@12/3
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT-PO#45678.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fa01d1ff-8193-42b2-a0e1-b0e6c90b42b3}
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8E26.tmpJump to behavior
        Source: PAYMENT-PO#45678.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: PAYMENT-PO#45678.exeReversingLabs: Detection: 41%
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile read: C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe 'C:\Users\user\Desktop\PAYMENT-PO#45678.exe'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: PAYMENT-PO#45678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PAYMENT-PO#45678.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: PAYMENT-PO#45678.exeStatic file information: File size 1438208 > 1048576
        Source: PAYMENT-PO#45678.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ae00
        Source: PAYMENT-PO#45678.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: PAYMENT-PO#45678.exe, 00000000.00000002.206021714.0000000003271000.00000004.00000001.sdmp, PAYMENT-PO#45678.exe, 00000008.00000002.222478275.0000000002AA1000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.231089232.0000000005700000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.245812912.0000000004C20000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB720 push 8BB84589h; retf 3_2_052BB72D
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB769 push 8BB44589h; retf 3_2_052BB775
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB7A8 push 8BB04589h; retf 3_2_052BB7BA
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB7E2 push 0000002Fh; retf 3_2_052BB7E4
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB691 push 8BC04589h; retf 3_2_052BB69D
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB6D8 push 8BBC4589h; retf 3_2_052BB6E5
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B9A7B push ecx; retf 3_2_052B9A83
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B9AE1 push esp; retf 3_2_052B9B3A
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile opened: C:\Users\user\Desktop\PAYMENT-PO#45678.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeWindow / User API: threadDelayed 6296Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeWindow / User API: threadDelayed 2938Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeWindow / User API: foregroundWindowGot 921Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 6912Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7012Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 7068Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7084Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1304Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1932Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exeBinary or memory string: qFnHAHSx0rXjXNN3jJRtKvMCIXpz62HOGEq9bH0EfOXq8ybdT3P+dA4nnKt8FCOEwo5NTPKVjyB+2HkgL5mXA+YmWuc9k5jhRECR4bdftEOKqoKDThhnSzTmwtFRCh7Trh
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467335475.0000000001102000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMemory written: C:\Users\user\Desktop\PAYMENT-PO#45678.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMemory written: C:\Users\user\Desktop\PAYMENT-PO#45678.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473806728.0000000006C1D000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.468606930.0000000002F33000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467637340.0000000001660000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467637340.0000000001660000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473415873.000000000619B000.00000004.00000001.sdmpBinary or memory string: Program ManagerHT
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473645693.000000000660D000.00000004.00000001.sdmpBinary or memory string: Program ManagerH4
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473770625.0000000006ADE000.00000004.00000001.sdmpBinary or memory string: Program ManagerHt
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467637340.0000000001660000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Security Software Discovery11Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 433324 Sample: PAYMENT-PO#45678.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 11 other signatures 2->61 8 PAYMENT-PO#45678.exe 3 2->8         started        12 dhcpmon.exe 3 2->12         started        14 PAYMENT-PO#45678.exe 2 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 47 C:\Users\user\...\PAYMENT-PO#45678.exe.log, ASCII 8->47 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 67 Injects a PE file into a foreign processes 8->67 18 PAYMENT-PO#45678.exe 1 12 8->18         started        23 PAYMENT-PO#45678.exe 8->23         started        25 dhcpmon.exe 12->25         started        27 PAYMENT-PO#45678.exe 14->27         started        29 dhcpmon.exe 16->29         started        signatures5 process6 dnsIp7 49 doc-file.ddns.net 194.5.97.7, 49718, 49724, 49725 DANILENKODE Netherlands 18->49 51 127.0.0.1 unknown unknown 18->51 53 192.168.2.1 unknown unknown 18->53 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp8E26.tmp, XML 18->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->45 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PAYMENT-PO#45678.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        PAYMENT-PO#45678.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        10.0.PAYMENT-PO#45678.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.2.PAYMENT-PO#45678.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.PAYMENT-PO#45678.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.PAYMENT-PO#45678.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.PAYMENT-PO#45678.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.PAYMENT-PO#45678.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.PAYMENT-PO#45678.exe.5540000.10.unpack100%AviraTR/NanoCore.fadteDownload File
        11.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        doc-file.ddns.net3%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        doc-file.ddns.net3%VirustotalBrowse
        doc-file.ddns.net0%Avira URL Cloudsafe
        127.0.0.10%VirustotalBrowse
        127.0.0.10%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        doc-file.ddns.net
        		194.5.97.7
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        doc-file.ddns.nettrue
        • 3%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        127.0.0.1true
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        194.5.97.7
        		doc-file.ddns.netNetherlands
        		208476DANILENKODEtrue

        Private

        IP
        192.168.2.1
        127.0.0.1

        General Information

        Joe Sandbox Version:32.0.0 Black Diamond
        Analysis ID:433324
        Start date:11.06.2021
        Start time:16:32:21
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 13m 35s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:PAYMENT-PO#45678.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:36
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@20/8@12/3
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 0.4% (good quality ratio 0.3%)
        • Quality average: 56.5%
        • Quality standard deviation: 32.5%
        HCA Information:
        • Successful, ratio: 98%
        • Number of executed functions: 83
        • Number of non-executed functions: 4
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.88.21.125, 13.64.90.137, 20.50.102.62, 23.218.208.56, 205.185.216.10, 205.185.216.42, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247
        • Excluded domains from analysis (whitelisted): fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        16:33:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\PAYMENT-PO#45678.exe" s>$(Arg0)
        16:33:14API Interceptor1032x Sleep call for process: PAYMENT-PO#45678.exe modified
        16:33:14AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        16:33:15Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        194.5.97.7PAYMENT-PO#987654567.exeGet hashmaliciousBrowse
          8RJwUlmBjb.exeGet hashmaliciousBrowse
            B882ITuiXnqLLeM.exeGet hashmaliciousBrowse
              Doc_43795379326436.PDF.exeGet hashmaliciousBrowse
                aqa4dSbdFYw5DlK.exeGet hashmaliciousBrowse
                  IITuGuCnGifznoN.exeGet hashmaliciousBrowse
                    IITuGuCnGifznoN.exeGet hashmaliciousBrowse
                      RAHIM TRADING CO. FOR IMP.exeGet hashmaliciousBrowse
                        RAHIM TRADING CO. FOR IMP. & EXP.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          doc-file.ddns.netPAYMENT-PO#987654567.exeGet hashmaliciousBrowse
                          • 194.5.97.7

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          DANILENKODEPAYMENT-PO#987654567.exeGet hashmaliciousBrowse
                          • 194.5.97.7
                          OUTSTANDING INVOICE.pdf.exeGet hashmaliciousBrowse
                          • 194.5.98.28
                          Request Letter for Courtesy Call.xlsxGet hashmaliciousBrowse
                          • 194.5.97.61
                          SecuriteInfo.com.Heur.23766.xlsGet hashmaliciousBrowse
                          • 194.5.97.241
                          SwiftCopy.pdf.exeGet hashmaliciousBrowse
                          • 194.5.98.31
                          wlCqbMRJ7p.exeGet hashmaliciousBrowse
                          • 194.5.98.5
                          SecuriteInfo.com.Trojan.PackedNET.832.3222.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          SecuriteInfo.com.Trojan.PackedNET.831.12541.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          0Cg1YYs1sv.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          Duplicated Orders.xlsxGet hashmaliciousBrowse
                          • 194.5.98.144
                          DEPOSITAR.xlsxGet hashmaliciousBrowse
                          • 194.5.98.144
                          InvoicePOzGlybgcIc1vHasG.exeGet hashmaliciousBrowse
                          • 194.5.98.87
                          POInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                          • 194.5.98.87
                          payment invoice.exeGet hashmaliciousBrowse
                          • 194.5.98.23
                          #RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                          • 194.5.98.120
                          b6yzWugw8V.exeGet hashmaliciousBrowse
                          • 194.5.98.107
                          0041#Receipt.pif.exeGet hashmaliciousBrowse
                          • 194.5.98.180
                          j07ghiByDq.exeGet hashmaliciousBrowse
                          • 194.5.97.146
                          j07ghiByDq.exeGet hashmaliciousBrowse
                          • 194.5.97.146
                          PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                          • 194.5.97.18

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1438208
                          Entropy (8bit):4.79869790235378
                          Encrypted:false
                          SSDEEP:12288:P6r9q+1i2mc3KEPdu4icYU/d+9x9/QV2HM5Jd+Zk3tsvON4Z1zOpz/YsQQyOTyMb:kKUw7Y1GOkqy0HPmH9pPQ4w5Q440X
                          MD5:438425F009B373154E4E3629C3539581
                          SHA1:5F686134A72FE1260D504DEDC88D8500C4F0C1F6
                          SHA-256:B2262126A955E306DC68487333394DC08C4FBD708A19AFEB531F58916DDB1CFD
                          SHA-512:7AE88A722C03871CF121708B026AE80D9A1B52AF52F6C42D908E4921B426C057C98ABFC0BB8AEEDBF761F9D709F80E9E0C5B96166A0A0B815DFC8DC376AD04AA
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 41%
                          Reputation:low
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0......B......^.... ........@.. .......................@............@.....................................K.......4>................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...4>.......@..................@..@.reloc....... ......................@..B................@.......H.......PK..........%...................................................B...}......}....*6.~8...(....&*z.(........}......}......}....*B...}......}....*..(........}......}......}......}.......Z.s....}....*z.(........}......}......} ...*..*R.(!......s"...}#...*R.(!......s'...}(...*>..} ....(.....*N.sA...}!....(!....*".(.....*".(.....*>..}#....(.....*N.sA...}'....(.....*>..}9....(.....*.r#..pr.a.p('...(K...(.....7...~M...~7...oR...oS......8...*N.sA...}=....(8....*>..}N....(.....
                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT-PO#45678.exe.log
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):706
                          Entropy (8bit):5.342604339328228
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCq1KDLI4Mq92n4M9XKbbDLI4MWuPJKiUrRZT:ML9E4Ks29E4Kx1qE4x84qXKDE4KhK3Vt
                          MD5:9C1DF7CA80077C63698DCFE531754F1F
                          SHA1:44E2DE975BF1364781A2E5EDE576D1FBCD948097
                          SHA-256:78D4E6F15372E7DFE7C9D5C10BB515995A20AFAEF839C56E750CC336620BCFAB
                          SHA-512:7078AFFB531F2AA5C813FB259C113CB1A02C992F76C47AAE036B8591C65EB4A2037B3BDAD83BBD4D30FA7D2CE244D9943C18EA8AA668FEBCD52B864E7476F84D
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):706
                          Entropy (8bit):5.342604339328228
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCq1KDLI4Mq92n4M9XKbbDLI4MWuPJKiUrRZT:ML9E4Ks29E4Kx1qE4x84qXKDE4KhK3Vt
                          MD5:9C1DF7CA80077C63698DCFE531754F1F
                          SHA1:44E2DE975BF1364781A2E5EDE576D1FBCD948097
                          SHA-256:78D4E6F15372E7DFE7C9D5C10BB515995A20AFAEF839C56E750CC336620BCFAB
                          SHA-512:7078AFFB531F2AA5C813FB259C113CB1A02C992F76C47AAE036B8591C65EB4A2037B3BDAD83BBD4D30FA7D2CE244D9943C18EA8AA668FEBCD52B864E7476F84D
                          Malicious:false
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                          C:\Users\user\AppData\Local\Temp\tmp8E26.tmp
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1306
                          Entropy (8bit):5.143952376983823
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0/++xtn:cbk4oL600QydbQxIYODOLedq38Jj
                          MD5:94EFA8AB0C786B66F62E9642A5B73D6D
                          SHA1:3A8DB2E96347BCCBA05C6D471F0DB0A7A5C6D7BA
                          SHA-256:2D6FC2F00387E055DD8D8F5D2CAD7116677E42DE42BF1970FEA67B5F975332F9
                          SHA-512:B09DA0146DEB021868FA502CC6B728A6491147291FC5433AC2FE89B38A63DC7BCC1F438AD65632BEDBBF6DA8F12FBC5E1DD4359B06DCDF6FDD893FB4580C9AF2
                          Malicious:true
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                          C:\Users\user\AppData\Local\Temp\tmp91A2.tmp
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1310
                          Entropy (8bit):5.109425792877704
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                          Malicious:false
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:Non-ISO extended-ASCII text, with CR line terminators
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):3.0
                          Encrypted:false
                          SSDEEP:3:Pm:e
                          MD5:0530B3218D0B896C1CD54343E50992B7
                          SHA1:F9968CF5EC56B274F84643B360F66D3090F50DC8
                          SHA-256:508C10049BB3DA3167A31B1A2C3A73B1686C145644070DB8A781D4CDE5C908C8
                          SHA-512:744856560943FDCBE62881D2A55154DAD8CCDD2FC4D34CC89C9C5B8E25E4A60F20041E9C5BB200DC422B2273BC3979D39DC9A36676E5111B69CA4C5B299EF8B7
                          Malicious:true
                          Preview: ...G1-.H
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):43
                          Entropy (8bit):4.85056969651225
                          Encrypted:false
                          SSDEEP:3:oNWXp5v1k+UdLAC:oNWXpFu+E0C
                          MD5:FF0FB06F43AF0FC6F1463829F4A9482D
                          SHA1:FA01AEC81BF55A5500363CF03FEB31206E1BAE12
                          SHA-256:9AD4AEE3F7C04F11069D41167CFB9803790DC0E521560C57306DB97227A8C882
                          SHA-512:D35314F2E04306256E30C5CB555C51B5D7B66EA0951511D87F469DBC462C607FCAA3191A52E60765CC086F276FF78ABFF9FFF4125C4D70ACA6A4E5BD48D83F7C
                          Malicious:false
                          Preview: C:\Users\user\Desktop\PAYMENT-PO#45678.exe

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.79869790235378
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:PAYMENT-PO#45678.exe
                          File size:1438208
                          MD5:438425f009b373154e4e3629c3539581
                          SHA1:5f686134a72fe1260d504dedc88d8500c4f0c1f6
                          SHA256:b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd
                          SHA512:7ae88a722c03871cf121708b026ae80d9a1b52af52f6c42d908e4921b426c057c98abfc0bb8aeedbf761f9d709f80e9e0c5b96166a0a0b815dfc8dc376ad04aa
                          SSDEEP:12288:P6r9q+1i2mc3KEPdu4icYU/d+9x9/QV2HM5Jd+Zk3tsvON4Z1zOpz/YsQQyOTyMb:kKUw7Y1GOkqy0HPmH9pPQ4w5Q440X
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0......B......^.... ........@.. .......................@............@................................

                          File Icon

                          Icon Hash:81c0c1a14931c4c8

                          Static PE Info

                          General

                          Entrypoint:0x52cd5e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x60B71CB7 [Wed Jun 2 05:52:55 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x12cd100x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x12e0000x33e34.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1620000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x12ad640x12ae00False0.478605480186data4.07686637612IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x12e0000x33e340x34000False0.437903771034data5.71331335745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1620000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x12e2b00x468GLS_BINARY_LSB_FIRST
                          RT_ICON0x12e7180x988data
                          RT_ICON0x12f0a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4293191654, next used block 4293257190
                          RT_ICON0x1301480x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4292927968, next used block 4292927968
                          RT_ICON0x1326f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4292533467, next used block 4292665053
                          RT_ICON0x1369180x5488data
                          RT_ICON0x13bda00x94a8data
                          RT_ICON0x1452480x10828dBase III DBT, version number 0, next free block index 40
                          RT_ICON0x155a700xbe16PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_GROUP_ICON0x1618880x84data
                          RT_VERSION0x16190c0x33cdata
                          RT_MANIFEST0x161c480x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2013
                          Assembly Version1.0.0.0
                          InternalNameSeededGrow2d.exe
                          FileVersion1.0.0.0
                          CompanyName
                          LegalTrademarks
                          Comments
                          ProductNameSeededGrow2d
                          ProductVersion1.0.0.0
                          FileDescriptionSeededGrow2d
                          OriginalFilenameSeededGrow2d.exe

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 11, 2021 16:33:15.797086954 CEST497187755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:15.852803946 CEST775549718194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:16.361876011 CEST497187755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:16.418101072 CEST775549718194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:16.924458981 CEST497187755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:16.980441093 CEST775549718194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:21.558995962 CEST497247755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:21.617063046 CEST775549724194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:22.127948046 CEST497247755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:22.183934927 CEST775549724194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:22.690552950 CEST497247755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:22.746400118 CEST775549724194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:27.525605917 CEST497257755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:27.581844091 CEST775549725194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:28.222318888 CEST497257755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:28.278564930 CEST775549725194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:28.926484108 CEST497257755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:28.982737064 CEST775549725194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:48.677469969 CEST497357755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:48.733251095 CEST775549735194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:49.288755894 CEST497357755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:49.344686985 CEST775549735194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:49.895941973 CEST497357755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:49.951818943 CEST775549735194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:54.497811079 CEST497367755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:54.554167032 CEST775549736194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:55.099503994 CEST497367755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:55.155553102 CEST775549736194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:55.787070036 CEST497367755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:55.843167067 CEST775549736194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:00.153357029 CEST497427755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:00.208950996 CEST775549742194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:00.787547112 CEST497427755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:00.843358040 CEST775549742194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:01.493870974 CEST497427755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:01.549716949 CEST775549742194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:21.590092897 CEST497587755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:21.646116972 CEST775549758194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:22.148734093 CEST497587755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:22.204873085 CEST775549758194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:22.711643934 CEST497587755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:22.768697023 CEST775549758194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:27.150758028 CEST497597755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:27.206760883 CEST775549759194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:27.711709023 CEST497597755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:27.768058062 CEST775549759194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:28.274146080 CEST497597755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:28.330152035 CEST775549759194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:32.702606916 CEST497607755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:32.758666992 CEST775549760194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:33.259124041 CEST497607755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:33.315072060 CEST775549760194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:33.821513891 CEST497607755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:33.877594948 CEST775549760194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:53.437741995 CEST497667755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:53.493501902 CEST775549766194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:53.995301962 CEST497667755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:54.051301003 CEST775549766194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:54.558037043 CEST497667755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:54.613758087 CEST775549766194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:59.084399939 CEST497677755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:59.140419960 CEST775549767194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:59.651859045 CEST497677755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:59.708055019 CEST775549767194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:00.214359045 CEST497677755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:00.270529032 CEST775549767194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:04.560087919 CEST497687755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:04.615951061 CEST775549768194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:05.121187925 CEST497687755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:05.177164078 CEST775549768194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:05.680794001 CEST497687755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:05.736741066 CEST775549768194.5.97.7192.168.2.3

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 11, 2021 16:33:01.254101038 CEST6015253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:01.307056904 CEST53601528.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:02.201574087 CEST5754453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:02.251691103 CEST53575448.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:03.346606970 CEST5598453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:03.396533012 CEST53559848.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:04.594057083 CEST6418553192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:04.644469976 CEST53641858.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:05.617245913 CEST6511053192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:05.670327902 CEST53651108.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:06.785485983 CEST5836153192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:06.835488081 CEST53583618.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:07.729670048 CEST6349253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:07.782910109 CEST53634928.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:08.651067019 CEST6083153192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:08.712455034 CEST53608318.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:10.025197029 CEST6010053192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:10.095108986 CEST53601008.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:11.416500092 CEST5319553192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:11.466742992 CEST53531958.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:12.635191917 CEST5014153192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:12.694072962 CEST53501418.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:13.810265064 CEST5302353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:13.870122910 CEST53530238.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:14.754426956 CEST4956353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:14.805520058 CEST53495638.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:15.727742910 CEST5135253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:15.787997961 CEST53513528.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:16.259160995 CEST5934953192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:16.309837103 CEST53593498.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:17.533802986 CEST5708453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:17.583973885 CEST53570848.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:18.654934883 CEST5882353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:18.705332994 CEST53588238.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:19.829382896 CEST5756853192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:19.879513979 CEST53575688.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:20.957453012 CEST5054053192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:21.028279066 CEST53505408.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:21.495158911 CEST5436653192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:21.557796955 CEST53543668.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:27.433357000 CEST5303453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:27.495415926 CEST53530348.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:34.349606991 CEST5776253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:34.409800053 CEST53577628.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:38.989926100 CEST5543553192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:39.061187029 CEST53554358.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:48.615082979 CEST5071353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:48.675201893 CEST53507138.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:54.439280987 CEST5613253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:54.489789009 CEST53561328.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:56.195933104 CEST5898753192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:56.249085903 CEST53589878.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:56.491764069 CEST5657953192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:56.550697088 CEST53565798.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:57.361665964 CEST6063353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:57.420702934 CEST53606338.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:58.530778885 CEST6129253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:58.589601040 CEST53612928.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:59.721265078 CEST6361953192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:59.782474995 CEST53636198.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:00.090440035 CEST6493853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:00.152301073 CEST53649388.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:00.409403086 CEST6194653192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:00.468297958 CEST53619468.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:01.340096951 CEST6491053192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:01.401999950 CEST53649108.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:01.682673931 CEST5212353192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:01.744755030 CEST53521238.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:02.186842918 CEST5613053192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:02.237325907 CEST53561308.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:03.317862034 CEST5633853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:03.376386881 CEST53563388.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:04.435774088 CEST5942053192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:04.495269060 CEST53594208.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:05.083693027 CEST5878453192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:05.142430067 CEST53587848.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:20.514705896 CEST6397853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:20.576379061 CEST53639788.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:21.528187990 CEST6293853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:21.588874102 CEST53629388.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:27.071742058 CEST5570853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:27.132956982 CEST53557088.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:32.623429060 CEST5680353192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:32.683567047 CEST53568038.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:46.342251062 CEST5714553192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:46.412183046 CEST53571458.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:47.990700006 CEST5535953192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:48.049592972 CEST53553598.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:53.377564907 CEST5830653192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:53.436162949 CEST53583068.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:59.023550987 CEST6412453192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:59.081986904 CEST53641248.8.8.8192.168.2.3
                          Jun 11, 2021 16:35:04.499183893 CEST4936153192.168.2.38.8.8.8
                          Jun 11, 2021 16:35:04.557481050 CEST53493618.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jun 11, 2021 16:33:15.727742910 CEST192.168.2.38.8.8.80xc76eStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:21.495158911 CEST192.168.2.38.8.8.80x78d4Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:27.433357000 CEST192.168.2.38.8.8.80x9ebbStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:48.615082979 CEST192.168.2.38.8.8.80x50a9Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:54.439280987 CEST192.168.2.38.8.8.80x69f1Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:00.090440035 CEST192.168.2.38.8.8.80xb694Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:21.528187990 CEST192.168.2.38.8.8.80x7e8eStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:27.071742058 CEST192.168.2.38.8.8.80xbbf5Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:32.623429060 CEST192.168.2.38.8.8.80x5029Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:53.377564907 CEST192.168.2.38.8.8.80xac17Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:59.023550987 CEST192.168.2.38.8.8.80xae58Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:35:04.499183893 CEST192.168.2.38.8.8.80xc692Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jun 11, 2021 16:33:15.787997961 CEST8.8.8.8192.168.2.30xc76eNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:21.557796955 CEST8.8.8.8192.168.2.30x78d4No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:27.495415926 CEST8.8.8.8192.168.2.30x9ebbNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:48.675201893 CEST8.8.8.8192.168.2.30x50a9No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:54.489789009 CEST8.8.8.8192.168.2.30x69f1No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:00.152301073 CEST8.8.8.8192.168.2.30xb694No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:21.588874102 CEST8.8.8.8192.168.2.30x7e8eNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:27.132956982 CEST8.8.8.8192.168.2.30xbbf5No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:32.683567047 CEST8.8.8.8192.168.2.30x5029No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:53.436162949 CEST8.8.8.8192.168.2.30xac17No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:59.081986904 CEST8.8.8.8192.168.2.30xae58No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:35:04.557481050 CEST8.8.8.8192.168.2.30xc692No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)

                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6600 Parent PID: 5800

                          General

                          Start time:16:33:07
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\PAYMENT-PO#45678.exe'
                          Imagebase:0xd40000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6688 Parent PID: 6600

                          General

                          Start time:16:33:08
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Imagebase:0x70000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Chronological Activities

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6736 Parent PID: 6600

                          General

                          Start time:16:33:09
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Imagebase:0x7d0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: schtasks.exe PID: 6788 Parent PID: 6736

                          General

                          Start time:16:33:12
                          Start date:11/06/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'
                          Imagebase:0x1230000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 6800 Parent PID: 6788

                          General

                          Start time:16:33:12
                          Start date:11/06/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: schtasks.exe PID: 6844 Parent PID: 6736

                          General

                          Start time:16:33:13
                          Start date:11/06/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'
                          Imagebase:0x1230000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 6860 Parent PID: 6844

                          General

                          Start time:16:33:13
                          Start date:11/06/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6920 Parent PID: 528

                          General

                          Start time:16:33:15
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe 0
                          Imagebase:0x570000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: dhcpmon.exe PID: 6968 Parent PID: 528

                          General

                          Start time:16:33:15
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                          Imagebase:0xd30000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 41%, ReversingLabs
                          Reputation:low

                          Chronological Activities

                          Analysis Process: PAYMENT-PO#45678.exe PID: 7020 Parent PID: 6920

                          General

                          Start time:16:33:16
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Imagebase:0xde0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: dhcpmon.exe PID: 7040 Parent PID: 6968

                          General

                          Start time:16:33:17
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Imagebase:0x5b0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: dhcpmon.exe PID: 4952 Parent PID: 3388

                          General

                          Start time:16:33:23
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                          Imagebase:0x1f0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: dhcpmon.exe PID: 6340 Parent PID: 4952

                          General

                          Start time:16:33:25
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Imagebase:0x7b0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.256103684.0000000002CA8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: PAYMENT-PO#45678.exe PID: 6600 Parent PID: 5800 PAYMENT-PO#45678.exeCOMMON

                            Executed Functions

                            Function 014BD520, Relevance: 2.3, Strings: 1, Instructions: 1013COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID: Yzgu
                            • API String ID: 0-3304327777
                            • Opcode ID: 825192267b2ae8251a2f2f1b560b146a87a2b095b66fd8566b5a6ce2ebccd023
                            • Instruction ID: 55549c8929f6518c9ca22c7cde08166c2ef2af5e3ca00eb94f318d2011c3ceda
                            • Opcode Fuzzy Hash: 825192267b2ae8251a2f2f1b560b146a87a2b095b66fd8566b5a6ce2ebccd023
                            • Instruction Fuzzy Hash: 7CB2B075E00628CFDB64CF69C984AD9BBB2BF89304F1581E9D509AB325DB319E81CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014BF9F0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 014BFCB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 5f8d0e7c219f90b30ec672c1caffa355db9727cf1c7aea29944598dce54e3b79
                            • Instruction ID: c2975a99deb9d33445f5c4f21a165c78a38e53be966174153e0567c465656871
                            • Opcode Fuzzy Hash: 5f8d0e7c219f90b30ec672c1caffa355db9727cf1c7aea29944598dce54e3b79
                            • Instruction Fuzzy Hash: 66C11671D042298FDB20CFA8CC80BEEBBB1BF49314F0485AAD519B7250DB745A89CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014BF668, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014BF73B
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: aa2c97abc9d7dded56f9cba087c387b56e4a03c3962bf12be7779a2eb222388e
                            • Instruction ID: 970b765f43cacd7be4d03d548aeff08751460fb999d727cbb43940c485b829fe
                            • Opcode Fuzzy Hash: aa2c97abc9d7dded56f9cba087c387b56e4a03c3962bf12be7779a2eb222388e
                            • Instruction Fuzzy Hash: 904189B5D012589FDF00CFA9D984AEEFBF1BB49314F14942AE819B7210D734AA46CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014BF7C0, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014BF872
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 2b1c67b8630885c08870fa0f951cd4ed79008c3153197f06084f2b09060904e0
                            • Instruction ID: e222e98bf97aa32bf0734e6657dac1ea45ab67ba224ed89b2054709bf18cf49d
                            • Opcode Fuzzy Hash: 2b1c67b8630885c08870fa0f951cd4ed79008c3153197f06084f2b09060904e0
                            • Instruction Fuzzy Hash: E74197B5D04258DFCF10CFAAD884AEEFBB5BB49310F14942AE819B7210D735A949CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014BF548, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014BF5F2
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: b14e6c1e0af7cc2371b4e61fe0861a483eb44d420059945031948f89e7cdbcc0
                            • Instruction ID: 397a59b3e03e21c01ed6a37e7ceb584c593d40afc25d1201b3588827ade31f0f
                            • Opcode Fuzzy Hash: b14e6c1e0af7cc2371b4e61fe0861a483eb44d420059945031948f89e7cdbcc0
                            • Instruction Fuzzy Hash: 1C3187B5D04258DFCF10CFA9D980ADEBBB5BB49310F10942AE819BB210D735A946CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014BF420, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 014BF4CF
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 624736ddab4e63c337c531be8a7cda42f884bd4912ccd0684c082052852a7cf4
                            • Instruction ID: da90922f49c944d2b80076ce930917d77abe95685f318660fffa208346500445
                            • Opcode Fuzzy Hash: 624736ddab4e63c337c531be8a7cda42f884bd4912ccd0684c082052852a7cf4
                            • Instruction Fuzzy Hash: DF31BBB4D012589FDB10CFA9D884AEEBBF1BF49314F14842AE418B7210D738A949CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014BE678, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                            Download Yara Rule
                            APIs
                            • ResumeThread.KERNELBASE(?), ref: 014BE6F6
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: a9189c39ca42bbef230b8512b23b38f8b0f46be1486587188992b63a2b7ba4a7
                            • Instruction ID: 5fc3140c5ff4cadba377589342bd160a82ca37527163bd746b21456801d271bd
                            • Opcode Fuzzy Hash: a9189c39ca42bbef230b8512b23b38f8b0f46be1486587188992b63a2b7ba4a7
                            • Instruction Fuzzy Hash: CD31ABB4D012589FCF14CFA9D884ADEFBB5AF49314F14942AE815B7310C734A905CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 014B6758, Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID: `
                            • API String ID: 0-2679148245
                            • Opcode ID: 1cea2759dc78fc304efe04a4bbde14161e8df5825eba6882d01585f7458e86ba
                            • Instruction ID: 377159f425c86cb5b4b5bc22b305f653277adfa6b1601736e32cc501a22ed2a8
                            • Opcode Fuzzy Hash: 1cea2759dc78fc304efe04a4bbde14161e8df5825eba6882d01585f7458e86ba
                            • Instruction Fuzzy Hash: E14151B1D416188BEB5CCF6B8D407DAFAF7AFC9200F18C1BA940CAB265DB7109468F55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014B49A0, Relevance: .3, Instructions: 267COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d3546d3c842f33116c9e6156da0cac185eb119fb7de0981883323c1a43d016c
                            • Instruction ID: ee7ca6a4f9c4f7541ef8bcd4e8d47dd68ef74e9e8e8ba50a9bda9a9773ef86ef
                            • Opcode Fuzzy Hash: 2d3546d3c842f33116c9e6156da0cac185eb119fb7de0981883323c1a43d016c
                            • Instruction Fuzzy Hash: AF91B574F042148BCB599F75A4986BE77B7AFC9B10B19882EE407E7359DF348C0287A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014B64BB, Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee5b5c073d825cd26ba49a0f2ed0e46c749c8a72ab0e641db29ae1cd1fb41fd6
                            • Instruction ID: a1caabb7e8fdc046114e0bbbc8059725becb2ad6b8c54c9f691030f1636059ac
                            • Opcode Fuzzy Hash: ee5b5c073d825cd26ba49a0f2ed0e46c749c8a72ab0e641db29ae1cd1fb41fd6
                            • Instruction Fuzzy Hash: 58612075E002898FD798DFBAE84169A7BF2EBC4304F18C52AC1149B768EB756C06CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014B64C8, Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.204930992.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7bccb030af874158bb82b375f1adf703dad66f84bc097b1289fc0020c266ea0a
                            • Instruction ID: af32063cd433b3cf0770f9a1279402bc6840731ea7bc409bdafcece9108dc000
                            • Opcode Fuzzy Hash: 7bccb030af874158bb82b375f1adf703dad66f84bc097b1289fc0020c266ea0a
                            • Instruction Fuzzy Hash: C8613E75E002898FD798DFAAE84169E7BF2EBC4304F18C52AD1049B768EB756C06CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: PAYMENT-PO#45678.exe PID: 6736 Parent PID: 6600 PAYMENT-PO#45678.exeCOMMON

                            Executed Functions

                            Function 010CB6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 010CB730
                            • GetCurrentThread.KERNEL32 ref: 010CB76D
                            • GetCurrentProcess.KERNEL32 ref: 010CB7AA
                            • GetCurrentThreadId.KERNEL32 ref: 010CB803
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: co
                            • API String ID: 2063062207-2254427989
                            • Opcode ID: da32123bc1c1a2a7cbb5a43039c607a6ee3bebddc28ff3e0c58ea5e5ae0ed3bc
                            • Instruction ID: 63f038e20031eae6579fd2e29bd4349513f8ea6bed63d20e6aa4ebc64f6c6ea4
                            • Opcode Fuzzy Hash: da32123bc1c1a2a7cbb5a43039c607a6ee3bebddc28ff3e0c58ea5e5ae0ed3bc
                            • Instruction Fuzzy Hash: 015162B4A00648CFDB10CFA9D688BDEBBF0BF48314F24859AE459A7350DB749949CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CB6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 010CB730
                            • GetCurrentThread.KERNEL32 ref: 010CB76D
                            • GetCurrentProcess.KERNEL32 ref: 010CB7AA
                            • GetCurrentThreadId.KERNEL32 ref: 010CB803
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: co
                            • API String ID: 2063062207-2254427989
                            • Opcode ID: 92691f076ccf82844254984159e539e4b6dc8d4fb18372aa00bb5b8615adf187
                            • Instruction ID: 8a17f242e4c00ff6688fbcbd3b14740459626cab600d0acf1ff260a785ddb67d
                            • Opcode Fuzzy Hash: 92691f076ccf82844254984159e539e4b6dc8d4fb18372aa00bb5b8615adf187
                            • Instruction Fuzzy Hash: 895142B4A00608CFDB14CFA9D688BEEBBF0BF48314F248559E459A7350DB749948CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06713549, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.473700498.0000000006710000.00000040.00000001.sdmp, Offset: 06710000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID: co$co
                            • API String ID: 0-4076919450
                            • Opcode ID: d00bbb70b12e2f35beec05c71ccac89ae29d147e21ac1982235deab4a9fbd3f5
                            • Instruction ID: 4a7c1441046321dc317fbe04b69e4e2ebab92f01519fb590c855efb809129026
                            • Opcode Fuzzy Hash: d00bbb70b12e2f35beec05c71ccac89ae29d147e21ac1982235deab4a9fbd3f5
                            • Instruction Fuzzy Hash: 578156B1D04219CFDB50DFA9C9807EEBBB1FF88324F24852AD415AB250DB74994ACF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B1A4C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryValueExA.KERNEL32(00000000,052B5F31,00020119,00000000,00000000,?), ref: 052B62FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: QueryValue
                            • String ID: co$co
                            • API String ID: 3660427363-4076919450
                            • Opcode ID: be6c25b17b55c2f3b0cfd82bcbe5d309369e6db79dbd385879eb7ebb211f2441
                            • Instruction ID: 5a628521ebb641eca2d423440f42050787f962abf79344f7e0c3daff277924bd
                            • Opcode Fuzzy Hash: be6c25b17b55c2f3b0cfd82bcbe5d309369e6db79dbd385879eb7ebb211f2441
                            • Instruction Fuzzy Hash: 7B715970E142199FEB14CFA9C884BEEBBB1BF48354F148129E819A7351DBB4A845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B6136, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryValueExA.KERNEL32(00000000,052B5F31,00020119,00000000,00000000,?), ref: 052B62FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: QueryValue
                            • String ID: co$co
                            • API String ID: 3660427363-4076919450
                            • Opcode ID: 7c6bcd4d9711ea331bc276d1074e7f0cd5fc4a0cbb83910d98252317da60cdf8
                            • Instruction ID: 0e9446d6707b107dad1cb883b3b2f61088d5ddd175eb91e956470a4a67778843
                            • Opcode Fuzzy Hash: 7c6bcd4d9711ea331bc276d1074e7f0cd5fc4a0cbb83910d98252317da60cdf8
                            • Instruction Fuzzy Hash: C1716970D142199FEF14CFA9C884BEEBBB1BF48314F148129E819AB351DBB0A845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0671190C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140networkCOMMON
                            Download Yara Rule
                            APIs
                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06713738
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.473700498.0000000006710000.00000040.00000001.sdmp, Offset: 06710000, based on PE: false
                            Similarity
                            • API ID: Query_
                            • String ID: co$co
                            • API String ID: 428220571-4076919450
                            • Opcode ID: b174da1d2928fc81552f1f32a4d9fd8e6979880b52e2b486f34267cb3738250b
                            • Instruction ID: 3053c52ee087f624ed1178489ac919d5e474edb34e4ece99b48cb8d15db9977c
                            • Opcode Fuzzy Hash: b174da1d2928fc81552f1f32a4d9fd8e6979880b52e2b486f34267cb3738250b
                            • Instruction Fuzzy Hash: 385112B1D00218DFDF50CFA9C9846EEBBB5FF48324F24852AE814AB240DB749946CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CFBEC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010CFD0A
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID: co$co
                            • API String ID: 716092398-4076919450
                            • Opcode ID: caedda63388957316feb6b76da7ad22dd4f53947073ad2d20bda11d5c9108032
                            • Instruction ID: 6b60f5988860c5789f3fee28ad37270c4d125e66eea7afffeb6e90c1c3251c26
                            • Opcode Fuzzy Hash: caedda63388957316feb6b76da7ad22dd4f53947073ad2d20bda11d5c9108032
                            • Instruction Fuzzy Hash: CC51EFB1D003099FDB14CFA9D980ADEBFB2BF48314F24852EE818AB210D7749985CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CFBF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010CFD0A
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID: co$co
                            • API String ID: 716092398-4076919450
                            • Opcode ID: aa9cc0517f04929724976d5205d67ab68143d6a77d5765954050c6c56e52703a
                            • Instruction ID: 90573c5af5b5a203149ad352da192c6b2b16f098d637bd2e7a8dda0b3d61cb6a
                            • Opcode Fuzzy Hash: aa9cc0517f04929724976d5205d67ab68143d6a77d5765954050c6c56e52703a
                            • Instruction Fuzzy Hash: 0341C0B1D003099FDB14CFA9C984ADEBBB6BF48714F24812EE819AB210D7749985CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B1A40, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 052B60AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: Open
                            • String ID: co$co
                            • API String ID: 71445658-4076919450
                            • Opcode ID: 3872f16aed0e0bdcdf145f151eb70ecf9bf3ca6560717d93005377d158fa9e8f
                            • Instruction ID: 9f22c77a85352863053cc494f75aed77cf6c256e78141c481f4ad2967cf1581e
                            • Opcode Fuzzy Hash: 3872f16aed0e0bdcdf145f151eb70ecf9bf3ca6560717d93005377d158fa9e8f
                            • Instruction Fuzzy Hash: A2415671D243199FDB10CF99C8847DDBBF1BF48314F148529E819AB340DBB4A845CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B5FBC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 052B60AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: Open
                            • String ID: co$co
                            • API String ID: 71445658-4076919450
                            • Opcode ID: bfc54a6e97c3f662160be57fa22e7bf262cb4b2002cdbeb377a6fcac797dc304
                            • Instruction ID: ac39198b59a3b3f97db3d967450d37f148497d63423bc4dfc43cb081d8f309c6
                            • Opcode Fuzzy Hash: bfc54a6e97c3f662160be57fa22e7bf262cb4b2002cdbeb377a6fcac797dc304
                            • Instruction Fuzzy Hash: D34165B1D243599FEB10CFA9C9847DDBBF1BF08314F14892AE818AB340D7B4A845CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B8A26, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: DeleteFile
                            • String ID: co$co
                            • API String ID: 4033686569-4076919450
                            • Opcode ID: dd9d0b32770b2a735d9b416572a598f8e7fc7eb759c8c552b35d3becad9f882a
                            • Instruction ID: e0431a83c3140b95e246cce00e3ee343212627aefc97f21560cb96d2a82c8ba3
                            • Opcode Fuzzy Hash: dd9d0b32770b2a735d9b416572a598f8e7fc7eb759c8c552b35d3becad9f882a
                            • Instruction Fuzzy Hash: 9F4165B1D202199FEB10CFA9C984BDEBBF9BF48314F148529E819E7240D7B49846CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B8A30, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: DeleteFile
                            • String ID: co$co
                            • API String ID: 4033686569-4076919450
                            • Opcode ID: 39e1a099b318aafbcbfa196da6cb9c75f9a022013ba0b18e0205319934424021
                            • Instruction ID: 0659cfc1373d35152f26990bbaa59ec0b0a12f7535e24d066abd7107620ca3d6
                            • Opcode Fuzzy Hash: 39e1a099b318aafbcbfa196da6cb9c75f9a022013ba0b18e0205319934424021
                            • Instruction Fuzzy Hash: 713154B1D202199FEB10CFA9C984BDEBBF9BF48314F148529E819E7240D7B49846CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010C93E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 010C962E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID: co
                            • API String ID: 4139908857-2254427989
                            • Opcode ID: 377374f715b6537b104b11c53cedd919ba7e21516f1127aa60faec832ad80695
                            • Instruction ID: fc3b9999e1b188e6f108002aa6ad070f8e8436b8c7b9fd2f93a750c44fb4bdc8
                            • Opcode Fuzzy Hash: 377374f715b6537b104b11c53cedd919ba7e21516f1127aa60faec832ad80695
                            • Instruction Fuzzy Hash: E4713770A00B058FD764DF29D444B9ABBF1BF88718F008A6ED58AD7A50EB35E845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CBCF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CBD87
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: co
                            • API String ID: 3793708945-2254427989
                            • Opcode ID: 40417c826eecdecf5cdc1cbb00b78dea67d2a2b58766ca25fda78b2b4fc89044
                            • Instruction ID: b747a7be0d1627ac144f69ba26d99d5b64c71f408329113743df4a70e9a5a1de
                            • Opcode Fuzzy Hash: 40417c826eecdecf5cdc1cbb00b78dea67d2a2b58766ca25fda78b2b4fc89044
                            • Instruction Fuzzy Hash: 3721E4B5D00208AFDB10CFA9D984ADEBBF4FF48324F14841AE954A7310D778A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CBD00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CBD87
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: co
                            • API String ID: 3793708945-2254427989
                            • Opcode ID: f5ae95f8960cba8f8d1e8adde5b7267a75d4d81e18f141d91c58da28b358a8c3
                            • Instruction ID: ab0168b1d9f7cc856ea9cb866484d0b430876825cfcb4dd250e5f1aa6d3d4608
                            • Opcode Fuzzy Hash: f5ae95f8960cba8f8d1e8adde5b7267a75d4d81e18f141d91c58da28b358a8c3
                            • Instruction Fuzzy Hash: 1D21C4B5D002589FDB10CFA9D984ADEBBF4FB48324F14841AE954A7350D778A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010C9849, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,010C96A9,00000800,00000000,00000000), ref: 010C98BA
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: co
                            • API String ID: 1029625771-2254427989
                            • Opcode ID: 805386b180546389bb267bb831cce9d7a0ab704300db285c83cb809855ae84b0
                            • Instruction ID: 8a8463380f11fd7a9e4d55154d1b46767e62da7b307411754eb2f182df34abcf
                            • Opcode Fuzzy Hash: 805386b180546389bb267bb831cce9d7a0ab704300db285c83cb809855ae84b0
                            • Instruction Fuzzy Hash: 741103B6D002099FDB10CF9AD444ADEFBF4EB49324F05846EE555A7600C774A949CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010C8768, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,010C96A9,00000800,00000000,00000000), ref: 010C98BA
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: co
                            • API String ID: 1029625771-2254427989
                            • Opcode ID: 61aa47df839be8a795f13c61a8222dd3bd14dc98a84c759098f05caeb900e795
                            • Instruction ID: f7bb61fbeed30b88e1356775fa616623e65e6d78e38c09ac04283eb964501179
                            • Opcode Fuzzy Hash: 61aa47df839be8a795f13c61a8222dd3bd14dc98a84c759098f05caeb900e795
                            • Instruction Fuzzy Hash: 281103B6D00209DFDB10CF9AC444ADFBBF4EB48714F05842EE959A7600C374A949CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010C95C8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000), ref: 010C962E
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID: co
                            • API String ID: 4139908857-2254427989
                            • Opcode ID: 0096edbffcfe6791b460fb6333407ccf5addeba9742d9168e7e4cd75b1c8a8b8
                            • Instruction ID: 0a663b35bda95b2bf904cf3bdd822e1ff17ba3d2e6af23f8cec510fb4cc4d830
                            • Opcode Fuzzy Hash: 0096edbffcfe6791b460fb6333407ccf5addeba9742d9168e7e4cd75b1c8a8b8
                            • Instruction Fuzzy Hash: 181122B6C006498FDB10CF9AC444BDEFBF4EF88328F10841AD469A7640C378A549CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B0438, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: DispatchMessage
                            • String ID: co
                            • API String ID: 2061451462-2254427989
                            • Opcode ID: 4bbe994276f0098e582fedfd79e990ae4f1348e72a7515e9b737f7ce684a4d80
                            • Instruction ID: acafee992336e88e8369f5c2ddafda771f2b948c15d089556ffb4d22dcabe984
                            • Opcode Fuzzy Hash: 4bbe994276f0098e582fedfd79e990ae4f1348e72a7515e9b737f7ce684a4d80
                            • Instruction Fuzzy Hash: 0E1122B1C006489FDB10CF9AD548BDEBBF4BF48324F00851AE828A3240D378A545CFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B5A48, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCloseKey.KERNEL32(00000000), ref: 052B642F
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: Close
                            • String ID: co
                            • API String ID: 3535843008-2254427989
                            • Opcode ID: 457eccf25e78bfab93a1adf20afa76c2403241e46df62b0f5e2ea9948017a405
                            • Instruction ID: f9c68e2545d4b93dcc0bfe49d67a386f35e4299f8c3a5c868ae7cb40df98dfa2
                            • Opcode Fuzzy Hash: 457eccf25e78bfab93a1adf20afa76c2403241e46df62b0f5e2ea9948017a405
                            • Instruction Fuzzy Hash: 8A1145B18046488FDB20CF99D588BDEFBF4FF48324F108419E519A7600D7B4A944CFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CFE38, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 010CFE9D
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID: co
                            • API String ID: 1378638983-2254427989
                            • Opcode ID: 4d45053ab81353647fbc96372cee1e538e69d1ee7b06e6a24f76b34d72f9f764
                            • Instruction ID: c30687a69bf3e5cbde72ed38301b0d362c5ee3bd8e11458585d04cee0e646bf3
                            • Opcode Fuzzy Hash: 4d45053ab81353647fbc96372cee1e538e69d1ee7b06e6a24f76b34d72f9f764
                            • Instruction Fuzzy Hash: 601100B5800609CFDB10CF99D584BEEBBF8FB48324F10845AE858A7600C378AA44CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010CFE40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 010CFE9D
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.467074588.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID: co
                            • API String ID: 1378638983-2254427989
                            • Opcode ID: 78b2bbc7808824590150a17faaa2e31fd116103a169484921e8da62e145b9e06
                            • Instruction ID: 12c13b076acaa6f44ef1a1396627d433c66413d2fbfdd899637a48c9880ec9d8
                            • Opcode Fuzzy Hash: 78b2bbc7808824590150a17faaa2e31fd116103a169484921e8da62e145b9e06
                            • Instruction Fuzzy Hash: B61112B58002499FDB10CF99D584BDEBBF8EB48724F10841AE958A7300C374AA44CFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B0440, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: DispatchMessage
                            • String ID: co
                            • API String ID: 2061451462-2254427989
                            • Opcode ID: b3dd4a0dedcd1183098b224925af288cf22b37d5e227e4149c1528a02df3a5bf
                            • Instruction ID: 2dc03361bbe326f4cc4e561c34de15d23e30b3222c6d2f8674d798f08eb599ba
                            • Opcode Fuzzy Hash: b3dd4a0dedcd1183098b224925af288cf22b37d5e227e4149c1528a02df3a5bf
                            • Instruction Fuzzy Hash: 5311FEB5C046498FDB10CF9AD548BDEBBF4BF48324F10842AE419A7200D378A544CFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 052B63CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCloseKey.KERNEL32(00000000), ref: 052B642F
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.472942340.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                            Similarity
                            • API ID: Close
                            • String ID: co
                            • API String ID: 3535843008-2254427989
                            • Opcode ID: feb754752a22fc992f86fcb696278a2f8f35f96211d5fc68c4534e569c2ca1f7
                            • Instruction ID: 856dbcbbe111baaab8441b71a2dc8d50705df41f451092d9c16e2eef8f976edc
                            • Opcode Fuzzy Hash: feb754752a22fc992f86fcb696278a2f8f35f96211d5fc68c4534e569c2ca1f7
                            • Instruction Fuzzy Hash: 311112B5D006098FDB10CF99D584BDEBBF4BF48324F14885AD519B7640D778A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFD3B4, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.466634219.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f07d85c6b250da2ef1989a96b710153672c3c8d74f9b4dae5527694090d2080
                            • Instruction ID: 138f7890da4f0a3aad8c516aed7cfcf157d524c22de56b93dfa71ee2c80c18fa
                            • Opcode Fuzzy Hash: 3f07d85c6b250da2ef1989a96b710153672c3c8d74f9b4dae5527694090d2080
                            • Instruction Fuzzy Hash: 30213A72504248DFDB01CF14D9C0B37BB66FF88324F24C569EA054B256C336E846EBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFD4A0, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.466634219.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1b213c5b7f2be95bec26c6bbd2e276ef759ee63d64e2522138f118936679e84
                            • Instruction ID: 7d6c91d00f7317650ceab6411d2943f8805089a849aebdc268100a76e9d65294
                            • Opcode Fuzzy Hash: a1b213c5b7f2be95bec26c6bbd2e276ef759ee63d64e2522138f118936679e84
                            • Instruction Fuzzy Hash: CA210872504248DFDB01DF14D9C0B26BB66FF88328F288569DA050B266C336D845E7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0100D01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.466685385.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70bdee2596e5d832b0cd0b7ebd3721ef145a66a52905e200f81ae4f5d4035678
                            • Instruction ID: 8f9543b9e531ee25442355f3b35544f7acb05f37b96d281d7f18040b4eceae63
                            • Opcode Fuzzy Hash: 70bdee2596e5d832b0cd0b7ebd3721ef145a66a52905e200f81ae4f5d4035678
                            • Instruction Fuzzy Hash: 9F212871504240DFEB12CF94D9C4B16BBA5FB44354F24C9A9E88D4B286C336D846CB71
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFD3AF, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.466634219.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction ID: 4249c7d7a299c79e169e01993ba4817073588cf38ea240514ccfb5b1bbdb7208
                            • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction Fuzzy Hash: D011D376804284CFCB11CF10D5C4B26BF72FF94324F24C6A9D9454B666C336E85ADBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFD49B, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.466634219.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction ID: 1ac37e4ef5991b80c0f97062e05a111d50ca52d9ee3dfae4cb3f6a71d4e2687d
                            • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction Fuzzy Hash: D811B476804244CFCB12CF14D5C4B66BF72FF84324F2885A9D9050B666C336D856DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0100D017, Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.466685385.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
                            • Instruction ID: 32a3bc8cf52ae9f6e1ff56ce845bec350e405be7f83dba9564f978e266e2a433
                            • Opcode Fuzzy Hash: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
                            • Instruction Fuzzy Hash: 6B119075504280DFDB12CF94D5C4B15FFA1FB44324F24C6AAE8494B796C33AD44ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: PAYMENT-PO#45678.exe PID: 6920 Parent PID: 528 PAYMENT-PO#45678.exeCOMMON

                            Executed Functions

                            Function 00FFF9F0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00FFFCB7
                            Memory Dump Source
                            • Source File: 00000008.00000002.222008118.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: a40a3e9b8c50881294284d74b0056e38b6b57cfdae91807ad99d089a1a17a0eb
                            • Instruction ID: 7e4c2f1777dd3b665ecedbe27fc1cf882f617be497e29cfdc61ac4aeeaba6a97
                            • Opcode Fuzzy Hash: a40a3e9b8c50881294284d74b0056e38b6b57cfdae91807ad99d089a1a17a0eb
                            • Instruction Fuzzy Hash: 5BC12671D0022D8FDB20CFA8C845BEEBBB1BF49314F0085A9D949B7250DB749A89DF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFF668, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00FFF73B
                            Memory Dump Source
                            • Source File: 00000008.00000002.222008118.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 150733bbe6547464df2c1c62bd1826d51e617f12c31aab1f25213eae49fb20ca
                            • Instruction ID: 3765496ce5e10f7d2e87073ca022b4fc8b1b69d98ed43e720e4b860275c43d39
                            • Opcode Fuzzy Hash: 150733bbe6547464df2c1c62bd1826d51e617f12c31aab1f25213eae49fb20ca
                            • Instruction Fuzzy Hash: A041A6B5D012589FCF00CFA9D984AEEFBF1BF49314F14902AE819B7210D734AA45CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFF7C0, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00FFF872
                            Memory Dump Source
                            • Source File: 00000008.00000002.222008118.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: df05aaae8e24482f291e60a12c766f0c26acc3602684f14f04985e8093699dd4
                            • Instruction ID: c7015e66e9a94b6c4f8146c1bff5a64f189a39b62b06d4b1f9fe066cd3bc3f46
                            • Opcode Fuzzy Hash: df05aaae8e24482f291e60a12c766f0c26acc3602684f14f04985e8093699dd4
                            • Instruction Fuzzy Hash: 714194B5D042589BCF00CFAAD880AEEBBB1BF49320F10942AE815B7210D735A949CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFF548, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00FFF5F2
                            Memory Dump Source
                            • Source File: 00000008.00000002.222008118.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: f5a8f5d782e696abfc682824371a28b467cc6c21cfcc057b0e8cb0e6eae9b340
                            • Instruction ID: 0816293a0f1501f6b8d318c67a82e13163fb2181c6130693b47cec3969d738d7
                            • Opcode Fuzzy Hash: f5a8f5d782e696abfc682824371a28b467cc6c21cfcc057b0e8cb0e6eae9b340
                            • Instruction Fuzzy Hash: 873197B5D042589BCF10CFA9D980AEEBBB5BF49310F10942AE815B7210DB35A905CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFF420, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 00FFF4CF
                            Memory Dump Source
                            • Source File: 00000008.00000002.222008118.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 835a3bd683f2eb3887a12e083b29f90177891151e0ce5b7505d8f15337eac41e
                            • Instruction ID: 37a5b63681c47e4603c557eb97f44bc5a5cf9d764d5f627fb78555d3cd955151
                            • Opcode Fuzzy Hash: 835a3bd683f2eb3887a12e083b29f90177891151e0ce5b7505d8f15337eac41e
                            • Instruction Fuzzy Hash: 7C31BBB5D012589FDF10CFA9D884AEEBBF1BF48314F14802AE815B7200D778A949CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FFE678, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                            Download Yara Rule
                            APIs
                            • ResumeThread.KERNELBASE(?), ref: 00FFE6F6
                            Memory Dump Source
                            • Source File: 00000008.00000002.222008118.0000000000FF0000.00000040.00000001.sdmp, Offset: 00FF0000, based on PE: false
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 0fb6afacdb8c90d378da5ad234f447ca1009b1d4416adc7ffa04451eb4d79820
                            • Instruction ID: 5526551e603759ad7cf99c1f3cb5b54639a2cb43728e922d7c5dd01ca457c62b
                            • Opcode Fuzzy Hash: 0fb6afacdb8c90d378da5ad234f447ca1009b1d4416adc7ffa04451eb4d79820
                            • Instruction Fuzzy Hash: 7131C9B5D012589FCF14CFA9D884AEEFBB4AF49314F10942AE815B7310CB34A905CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: dhcpmon.exe PID: 6968 Parent PID: 528 dhcpmon.exeCOMMON

                            Executed Functions

                            Function 015EF9F0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 015EFCB7
                            Memory Dump Source
                            • Source File: 00000009.00000002.224066368.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: c9a8b6aa2876f6f9d25a2d13f3d6d1c59dcb7ed8bc64371a4b309288a492439c
                            • Instruction ID: 0bd750a7cf225393cc59950a295ea644d85819208a40f3883a98e23c431657b3
                            • Opcode Fuzzy Hash: c9a8b6aa2876f6f9d25a2d13f3d6d1c59dcb7ed8bc64371a4b309288a492439c
                            • Instruction Fuzzy Hash: 39C13671D0022D8FDB24CFA8C844BEDBBB1BF49308F0485AAD519BB240DB749A85CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015EF668, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 015EF73B
                            Memory Dump Source
                            • Source File: 00000009.00000002.224066368.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 36ffdac1dab3f73132492a9ca554ff2a3e53021972fb84f9c7b8ce84af6f87e8
                            • Instruction ID: 065553684c4a85c491496935c7cffd5d64de7c5169fe246ccdbf6e6c015dfac8
                            • Opcode Fuzzy Hash: 36ffdac1dab3f73132492a9ca554ff2a3e53021972fb84f9c7b8ce84af6f87e8
                            • Instruction Fuzzy Hash: 3941A8B5D012589FCF04CFA9D984AEEFBF1BB49314F14942AE819BB200D734AA45CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015EF7C0, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 015EF872
                            Memory Dump Source
                            • Source File: 00000009.00000002.224066368.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: d126e201ecbe5dbe5299ee86d3445c42e47343f32d961da526d83b22de98cdd0
                            • Instruction ID: 33d694896a9695b905f41e61082be2bbd3ea2a182f106b2a7cf991679f923418
                            • Opcode Fuzzy Hash: d126e201ecbe5dbe5299ee86d3445c42e47343f32d961da526d83b22de98cdd0
                            • Instruction Fuzzy Hash: 3241A7B5D04258DFCF00CFAAD884AEEFBB1BB49310F14942AE815BB200D734A945CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015EF548, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 015EF5F2
                            Memory Dump Source
                            • Source File: 00000009.00000002.224066368.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: f9c10d3b71826c580254c1b2ba630683c39afd0bbfa425429daf8ad626ade29b
                            • Instruction ID: e682aa11b50f87843802e8bea68771209cf4f465b5deaa6716c5e56a492e8864
                            • Opcode Fuzzy Hash: f9c10d3b71826c580254c1b2ba630683c39afd0bbfa425429daf8ad626ade29b
                            • Instruction Fuzzy Hash: A83197B5D042589BCF10CFA9D984AEEBBB5BB49310F10942AE815BB210DB35A906CF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015EF420, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetThreadContext.KERNELBASE(?,?), ref: 015EF4CF
                            Memory Dump Source
                            • Source File: 00000009.00000002.224066368.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false
                            Similarity
                            • API ID: ContextThread
                            • String ID:
                            • API String ID: 1591575202-0
                            • Opcode ID: 6988b10c0a94fbda931f892302e87700f124703d73d9d239f45ba4fb97ced2c7
                            • Instruction ID: 8e2a3b2d06da628c21828a40dd47fef410451239f605c61789fe71f86894e8d5
                            • Opcode Fuzzy Hash: 6988b10c0a94fbda931f892302e87700f124703d73d9d239f45ba4fb97ced2c7
                            • Instruction Fuzzy Hash: D031BCB4D012589FDB14CFA9D884AEEBBF1BF48314F14842AE415BB200D738A945CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015EE678, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                            Download Yara Rule
                            APIs
                            • ResumeThread.KERNELBASE(?), ref: 015EE6F6
                            Memory Dump Source
                            • Source File: 00000009.00000002.224066368.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: d47c4b36e4a3c7e5ceb393e25b47834adf432510f5dc63fcccc751ed99572875
                            • Instruction ID: 30258a928c2a6ad4f513f4b313b3c1ea2010d37b1167ae4d29890f4af4b18a1d
                            • Opcode Fuzzy Hash: d47c4b36e4a3c7e5ceb393e25b47834adf432510f5dc63fcccc751ed99572875
                            • Instruction Fuzzy Hash: 9C3198B4D112589FCB14CFA9E984AEEFBF5BB49314F14942AE815B7300DB34A905CFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: PAYMENT-PO#45678.exe PID: 7020 Parent PID: 6920 PAYMENT-PO#45678.exeCOMMON

                            Executed Functions

                            Function 032AB6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 032AB730
                            • GetCurrentThread.KERNEL32 ref: 032AB76D
                            • GetCurrentProcess.KERNEL32 ref: 032AB7AA
                            • GetCurrentThreadId.KERNEL32 ref: 032AB803
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 18e1054b5292d69c314b515181d3abb1803ffa1bc07b892d95874527d85ebfb8
                            • Instruction ID: 30fa3fddb8e24c86bc6fd58cbd8065cfa682ca3c9901566ba9fba2c3414b3ec5
                            • Opcode Fuzzy Hash: 18e1054b5292d69c314b515181d3abb1803ffa1bc07b892d95874527d85ebfb8
                            • Instruction Fuzzy Hash: D05177B0D106898FDB14CFA9D948BEEBBF0BF48304F24845AE019A7351D7745984CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032AB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 032AB730
                            • GetCurrentThread.KERNEL32 ref: 032AB76D
                            • GetCurrentProcess.KERNEL32 ref: 032AB7AA
                            • GetCurrentThreadId.KERNEL32 ref: 032AB803
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 202ea7d46c246470aa95d98036a4c4dabbafbda69bce863cce66caf8947b7fa4
                            • Instruction ID: 6244d58cd1322f348ba9efcedfeddcccb563b022c77fe501e472e948cc7df788
                            • Opcode Fuzzy Hash: 202ea7d46c246470aa95d98036a4c4dabbafbda69bce863cce66caf8947b7fa4
                            • Instruction Fuzzy Hash: A25166B0D106498FDB14CFA9D988BEEBBF1BF48304F248459E019A7350DB745984CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032A93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 032A962E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: d57d4a43e3360277fc8e6c01d02ed39ba1521dc3825b499ea78d0a7129f42199
                            • Instruction ID: 2399b5c463d5e4944125007a8513184df46d807958a427f0a8f0dc3d47ffb38f
                            • Opcode Fuzzy Hash: d57d4a43e3360277fc8e6c01d02ed39ba1521dc3825b499ea78d0a7129f42199
                            • Instruction Fuzzy Hash: 3E713670A20B098FD764DF2AC44079ABBF5BF88304F04896ED44ADBA50D775E885CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032AFBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032AFD0A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: f8703c57a52ecbccbcd8426a515be2e8feaf6f2a238a7c71a5b57331f6e4bb28
                            • Instruction ID: 30bda8842bb0554bdbde4d3915730d05970c3e439a7d8d08d63a6f0c2fb1001b
                            • Opcode Fuzzy Hash: f8703c57a52ecbccbcd8426a515be2e8feaf6f2a238a7c71a5b57331f6e4bb28
                            • Instruction Fuzzy Hash: F151D2B1D10749EFDB15CFA9C984ADDFBB1BF88300F24812AE819AB210D7749985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032AFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 032AFD0A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: fe12d19481e5887164de0811ed48e20e54fd19e87271c6db704908b3ddc5c26f
                            • Instruction ID: 7b17af1b9da68d6678a29afb2e8d7aaab99bd5492704ad68224e1e4186bd6d5e
                            • Opcode Fuzzy Hash: fe12d19481e5887164de0811ed48e20e54fd19e87271c6db704908b3ddc5c26f
                            • Instruction Fuzzy Hash: 9041C0B1D10709AFDF15CF99C984ADEFBB5BF88314F24812AE819AB210D7749985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032ABCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032ABD87
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b9c258b941e9475179b7047ec582ab8bbc41965b1d2a07de06e4d421550decee
                            • Instruction ID: 6dc360421fd87f79f8d1b5c12948c46a7020939db1fd051c222ae9d81b636ba1
                            • Opcode Fuzzy Hash: b9c258b941e9475179b7047ec582ab8bbc41965b1d2a07de06e4d421550decee
                            • Instruction Fuzzy Hash: 2E2103B59006489FDB10CFA9D984AEEBFF8EF49320F14801AE954A7310C374A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032ABD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032ABD87
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: de042c2294a5914a2c3d0b7a7efd0cecb934269493a237e9e42673d4cd8f49ed
                            • Instruction ID: 7d6fc8cc1c83b3e0ba63156916e989b3cab80bc477f931ffd6e4d8b9a9424ebe
                            • Opcode Fuzzy Hash: de042c2294a5914a2c3d0b7a7efd0cecb934269493a237e9e42673d4cd8f49ed
                            • Instruction Fuzzy Hash: B621C4B5D006499FDB10CF99D984ADEBBF4EB48324F14841AE914A7310D374A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032A8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032A96A9,00000800,00000000,00000000), ref: 032A98BA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: bc7c48c04fb12762afde645ed6e26496bce5322906b320b2e900da2283ebed82
                            • Instruction ID: d6fd8924d9c3abba53225c17f91d6b20abcfd1b7499452411ebcb49d4259e4a9
                            • Opcode Fuzzy Hash: bc7c48c04fb12762afde645ed6e26496bce5322906b320b2e900da2283ebed82
                            • Instruction Fuzzy Hash: E51103B6D106498FDB10CF9AD444ADEFBF4EB88310F04842EE519B7600C375A985CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032A9849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032A96A9,00000800,00000000,00000000), ref: 032A98BA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 8288de21089cac69e216e0f847ffcffcf7d7311f4efbec4019d88c140e115f01
                            • Instruction ID: 7b6e1399d9455157ffbacc47431f77f6378422eee95967c5faf590eed1d2fba3
                            • Opcode Fuzzy Hash: 8288de21089cac69e216e0f847ffcffcf7d7311f4efbec4019d88c140e115f01
                            • Instruction Fuzzy Hash: B611F2B2D006498FDB10CF9AD444ADEFBF4AB89320F05842AD919A7600C375A985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032A95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 032A962E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: c02ea9b21a0b5d8a0b5084d126229db8b425f1eab960f73c205c5f9df95c5cc9
                            • Instruction ID: 63d6139104165d934be46708e13e4e5ab2ae275433d776b16e2d86f2865fbf7f
                            • Opcode Fuzzy Hash: c02ea9b21a0b5d8a0b5084d126229db8b425f1eab960f73c205c5f9df95c5cc9
                            • Instruction Fuzzy Hash: 321110B2C006498FDB10CF9AC544BDEFBF4AF88324F14841AD429B7600C374A589CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032AFE38, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 032AFE9D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 720daf439157a18c536069fd15f97af40d2bd504ff248602aa4e55482e8a16c2
                            • Instruction ID: 63a47a7077660bef8e595e632bcc989ea11a07feace254a9a3b4e1e4792e0156
                            • Opcode Fuzzy Hash: 720daf439157a18c536069fd15f97af40d2bd504ff248602aa4e55482e8a16c2
                            • Instruction Fuzzy Hash: B411F2B59006499FDB10CF99DA84BDEBBF4EB48324F14845AD954A7301C374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 032AFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 032AFE9D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.240421910.00000000032A0000.00000040.00000001.sdmp, Offset: 032A0000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 528fb784338f132d6405f4e31684b78197fac470809ce0e7981875750769b147
                            • Instruction ID: 30098fc6600ba7f979f4c207ad53e1eba3625f57a1d6899020a8e2a71b776f37
                            • Opcode Fuzzy Hash: 528fb784338f132d6405f4e31684b78197fac470809ce0e7981875750769b147
                            • Instruction Fuzzy Hash: 5F1103B58006499FDB10CF99DA84BDEFBF8EB48324F14841AD914A7200C374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD4A0, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.239928831.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e7674fb21eaeea2d87d9f6a864edd55dd458197e44c7d65c969827ae3c6c2db
                            • Instruction ID: 6f13141eab52e3547e4456056c70020902df83975fa2c59e7576acaafae9949f
                            • Opcode Fuzzy Hash: 5e7674fb21eaeea2d87d9f6a864edd55dd458197e44c7d65c969827ae3c6c2db
                            • Instruction Fuzzy Hash: C9213871904240DFDB01CF84D9C4B57BF65FB88318F24856EDA050B326C336D846C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD3B4, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.239928831.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ae33f8322cf4eb5906061bae8edd1be0a4420bb4cf1d168ae9f1464399dd68a
                            • Instruction ID: 299b7a98e1a100be2ab7f05224de3e73caddc612d579f03967e1bcb496eeffcf
                            • Opcode Fuzzy Hash: 8ae33f8322cf4eb5906061bae8edd1be0a4420bb4cf1d168ae9f1464399dd68a
                            • Instruction Fuzzy Hash: 64210671904240DFDB01CF94D9C0B57BB65FB88324F24C57EEA054B356C336E856DAA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0150D01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.239955137.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f30b565685f53b8ede32e7ce14b9ba536d5af65a4a3f321154be5c9cefb4c65
                            • Instruction ID: d45b84a49bd4392c7e65f06b7313358506f6af24bb25dc3b135eee3ab3b90d70
                            • Opcode Fuzzy Hash: 2f30b565685f53b8ede32e7ce14b9ba536d5af65a4a3f321154be5c9cefb4c65
                            • Instruction Fuzzy Hash: F3212575504240DFDB12CFD8D9D4B2ABBB5FB88354F24C969D80D4F286D33AD846CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0150D006, Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.239955137.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4dec215894561dd258788ee7bac8b000d192208bbe555ecfdb621c259398bbc2
                            • Instruction ID: 6ff4afe7fc38f8236645771f75f941d3aa766a84c4634b93f9fe8316ed823888
                            • Opcode Fuzzy Hash: 4dec215894561dd258788ee7bac8b000d192208bbe555ecfdb621c259398bbc2
                            • Instruction Fuzzy Hash: 5B2192755093808FCB03CFA4D994B15BF71FB46214F28C5EAD8498F697C33A984ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD3AF, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.239928831.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction ID: 76673ff43e6eca0b43224a99bf29683220ef2c4ba82ad1006c98a953c3d38240
                            • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction Fuzzy Hash: 99119D76804280CFDB12CF54D9C4B56BF71FB84324F24C6AAD9454B766C336E45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 014FD49B, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.239928831.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction ID: af32b980c9c62e3315d578b4f629b669ab3339b8b6034d84089a9e6ea0ec3968
                            • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction Fuzzy Hash: F611B176804280CFDB12CF54D9C4B56BF71FB84324F2486AED9050B766C33AD45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: dhcpmon.exe PID: 7040 Parent PID: 6968 dhcpmon.exeCOMMON

                            Executed Functions

                            Function 0105B6C0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0105B730
                            • GetCurrentThread.KERNEL32 ref: 0105B76D
                            • GetCurrentProcess.KERNEL32 ref: 0105B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0105B803
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 506c15e092abbe56a179878b3925bc54bb2489777e7ce1ec4ef08c540868b283
                            • Instruction ID: 7cb2c50f7fb13745c8d103d59e24d08844cc8c6d53829d891805ce0dd19a95f1
                            • Opcode Fuzzy Hash: 506c15e092abbe56a179878b3925bc54bb2489777e7ce1ec4ef08c540868b283
                            • Instruction Fuzzy Hash: 9A5155B4D006488FEB50CFA9D54879EBFF1FF88304F248459E459A7350DB74A945CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0105B730
                            • GetCurrentThread.KERNEL32 ref: 0105B76D
                            • GetCurrentProcess.KERNEL32 ref: 0105B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0105B803
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: fed65b2e3587fe135184d69664b8952fcd088b5792b5d5edb47d0f1222b36ac9
                            • Instruction ID: 93951d44c1ded8a7dc0cb6b3dcad0bebd676c25fa6978460a898a4055854630f
                            • Opcode Fuzzy Hash: fed65b2e3587fe135184d69664b8952fcd088b5792b5d5edb47d0f1222b36ac9
                            • Instruction Fuzzy Hash: 645164B4D006488FEB54CFA9D548BAEBBF1FF88304F248459E419A7350DB74A945CF62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105FAA0, Relevance: 1.8, APIs: 1, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 922bfaa85bc250aefb8c56d12698ce7fbc539a30712c50590abc71feaa857a03
                            • Instruction ID: e8fd14f3b7d9639ded7768ae576f47327bd19d34ce46d907b523a125e7ca172c
                            • Opcode Fuzzy Hash: 922bfaa85bc250aefb8c56d12698ce7fbc539a30712c50590abc71feaa857a03
                            • Instruction Fuzzy Hash: 0D9174B5C093899FDB12CFA4C890ACDBFB1FF0A304F16819AE894AB163D7355946CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0105962E
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 33ba51cb20b5aaa9ea4334807820de6168ea071075729eef11072c80dc044696
                            • Instruction ID: d831ea286bbbea3d02f4784fd6bf998c54adf36ec45231bbc74ee087e8a161f9
                            • Opcode Fuzzy Hash: 33ba51cb20b5aaa9ea4334807820de6168ea071075729eef11072c80dc044696
                            • Instruction Fuzzy Hash: 7D711770A00B058FD7A4DF29D44475BBBF5BF88218F00896ED986D7A50DB35E845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0105FD0A
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: a751fb9c67a695c545f4b73f8883a45b67cd9be447d1a4825089330a850b6152
                            • Instruction ID: 192c96040e0c71f39462a61ff8ba546ce07dfe1669c819ef2ac1adbeb7a90158
                            • Opcode Fuzzy Hash: a751fb9c67a695c545f4b73f8883a45b67cd9be447d1a4825089330a850b6152
                            • Instruction Fuzzy Hash: 3241CFB1D00309DFDF14CF99C984ADEBBB5BF48314F24852AE819AB210D7749945CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0105BD87
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 493bd98a1a86d7cfb0fc356c631c38f3e6c85c785933d91c66bd6ea0bc92716b
                            • Instruction ID: 8f13c945b1f29d8c3dd12cf7800ac5f4ae8200f574e6928e3043984fdd223860
                            • Opcode Fuzzy Hash: 493bd98a1a86d7cfb0fc356c631c38f3e6c85c785933d91c66bd6ea0bc92716b
                            • Instruction Fuzzy Hash: A421E0B59002489FDB10DFA9D884AEEBBF5EB48320F14841AE958A7310D778A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0105BD87
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b9683bd52bb1cb0f7abf3501c635ac6f8492c0d942361d3a57ebb2edbde1fc11
                            • Instruction ID: 274dcc261690ff28c6109080029603dadee86de4900a4a957efb3744248cd9d8
                            • Opcode Fuzzy Hash: b9683bd52bb1cb0f7abf3501c635ac6f8492c0d942361d3a57ebb2edbde1fc11
                            • Instruction Fuzzy Hash: E221C4B5900249DFDB10CF99D984ADEBBF5FB48324F14841AE954A7310D378A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01058768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010596A9,00000800,00000000,00000000), ref: 010598BA
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: b0612d3e8e533ea2e317b9e03a4c117bded9a94119ac0bfec422246063bd35d1
                            • Instruction ID: e17fcc6edc782a42c56f5fa572282fb2331db067008dcb2780cdd20b3c533c97
                            • Opcode Fuzzy Hash: b0612d3e8e533ea2e317b9e03a4c117bded9a94119ac0bfec422246063bd35d1
                            • Instruction Fuzzy Hash: 231103B6D00249DFDB10CF9AC444BEEBBF4EB88314F14842AE959B7600C775A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01059849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010596A9,00000800,00000000,00000000), ref: 010598BA
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: e6b19ccce656104d525a53dd8f908711c999ebb7c1409f039e74f02a3fea957b
                            • Instruction ID: 79f256c120d83a79562c4eb8548f01e4a8cf1f5447b9175163c83512e5b30f87
                            • Opcode Fuzzy Hash: e6b19ccce656104d525a53dd8f908711c999ebb7c1409f039e74f02a3fea957b
                            • Instruction Fuzzy Hash: 751103B6D00249CFDB10CF9AD444BEEFBF4AB88314F14842AD969A7600C379A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 010595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0105962E
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 4f32fb8b3be0e8991c1cf77d71c98572b77c269ff9050ec4e471814efdccca67
                            • Instruction ID: bc9a101552476b6ebdf3d01106b12a024a7be6f3ee5a704e4b848bed7a1a0339
                            • Opcode Fuzzy Hash: 4f32fb8b3be0e8991c1cf77d71c98572b77c269ff9050ec4e471814efdccca67
                            • Instruction Fuzzy Hash: CD11E0B6D00649CFDB10CF9AC444BDFFBF4AF88224F14895AD869A7600D379A549CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0105FE9D
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 18f271aee2ab22355b94d9413e59ffa3bad2ce639a0b0d8938673801146be8f6
                            • Instruction ID: 845d39d1590eb6d0c587e5b2b0d330eeb74b2810f1b2bdcdcdc6989d4a3579ca
                            • Opcode Fuzzy Hash: 18f271aee2ab22355b94d9413e59ffa3bad2ce639a0b0d8938673801146be8f6
                            • Instruction Fuzzy Hash: 811133B5C002498FDB10CF99D585BDEBFF8EB48324F10844AD998A7341C3B8AA45CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0105FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0105FE9D
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242517663.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 3a145e89bcf4ee4928e14797e2cfe8ddce285fa31570b0de04f680b500916511
                            • Instruction ID: e117e0b2a88744f6a259b1e56e23566f25935ffa554606f8b6290a62664dcd6b
                            • Opcode Fuzzy Hash: 3a145e89bcf4ee4928e14797e2cfe8ddce285fa31570b0de04f680b500916511
                            • Instruction Fuzzy Hash: 431112B5800249CFDB10CF99D585BDFBBF8EB48324F10841AE958A7300C378A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FDD4A0, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242273102.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19a5ad2e07b0b91113f2ddf8df9b27fed894ef1774039ca64d4a1c4bfd6528cb
                            • Instruction ID: b96053e5403f617943c3d94d2dbaae83c2689d9c7abbdf4241ea36813a1715de
                            • Opcode Fuzzy Hash: 19a5ad2e07b0b91113f2ddf8df9b27fed894ef1774039ca64d4a1c4bfd6528cb
                            • Instruction Fuzzy Hash: 30210672904244DFDB01DF54E9C0B2ABF66FB88328F28856AE9050B346C336D855EBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FED01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242321336.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4317c8f2eb680691ae8153e9d3c4ec20d276571d79a380adc23bf30dd50eccc
                            • Instruction ID: 48638f332b538b8417a14fe545222a4564a94a9860409a1e7b40c649e85273f2
                            • Opcode Fuzzy Hash: a4317c8f2eb680691ae8153e9d3c4ec20d276571d79a380adc23bf30dd50eccc
                            • Instruction Fuzzy Hash: E0210776504280DFCB14CF14D9C4B16BB65FB88324F28C969DA0A4BB4AC73AD847EA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FED005, Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242321336.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e4dac9d9cadb33426447b3120821a2961afe12dc17506d365c32489f911b46b
                            • Instruction ID: 66df539629fe72e14c85851c2f055cd42ff4c7a81459d53685369bc8bc73aa34
                            • Opcode Fuzzy Hash: 5e4dac9d9cadb33426447b3120821a2961afe12dc17506d365c32489f911b46b
                            • Instruction Fuzzy Hash: 0B2180755093C08FCB02CF20D994715BF71EB46324F28C5EAD8498B697C33A984ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00FDD49B, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.242273102.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction ID: 175b18a9beffcf3de81634709f66675edd69539c662864e097fe87ca7cae0485
                            • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                            • Instruction Fuzzy Hash: 1911B176804280DFCB12CF14D9C4B56BF72FB84324F2886AAD8050B756C336D85ADBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions